You’re in the final week of diligence with a strategic acquirer. You have sent them everything: roadmap, architecture diagrams, customer list, top-ten deals with pricing, ARR build, model performance benchmarks. The data room is 53 folders deep. They pass.
Six months later the acquirer (the one who passed) launches a competing product. Or they don’t launch anything at all, and their website quietly updates with language that feels eerily similar to yours: phrases from your pitch deck, a tagline that reads like a polished version of your one-pager, positioning that sharpens exactly against the differentiators you showed them in diligence. You cannot prove anything. You just know.
You pull the NDA. Three pages. Mutual. Drafted off a 2018 template. It prohibits use of confidential information “for any purpose other than evaluating the proposed transaction” and disclosure to third parties. It does not use the word “training.” It does not use the word “model.” It does not use the word “AI.”
You call your lawyer. [S: this is where the call gets quiet.]
How sure are you this is not already happening?
Right now, across every diligence you are in, every customer pilot you have signed an NDA for, every partnership call where you walked through a roadmap, every vendor you gave credentials to: how sure are you that your material is not being pasted into ChatGPT, loaded into an enterprise Copilot, indexed into a retrieval system, or fed to a fine-tuned internal model that will spit it back out for someone else next quarter?
The honest answer, for almost every company in 2026, is: not sure at all. You have no way to know. Your NDA does not help you figure it out.
What your NDA actually says
Two operative verbs in every NDA: use and disclose. Use is usually bounded by a permitted purpose, “solely for evaluating the proposed transaction,” “solely to perform under the Agreement.” Disclose is usually limited to third parties.
Both verbs assumed a human on the other side. Use meant reading, discussing, referencing in a meeting. Disclose meant forwarding an email, showing a slide to an outsider, publishing.
Neither verb was drafted with “ingest into a statistical model and query it forever” in mind. [S: drafted before there was anything to ingest.]
Why it does not reach AI training
Four specific failures.
The “use” problem. Training a persistent internal model on your information almost certainly exceeds the permitted purpose. The problem is that your NDA does not say so explicitly, and courts read these clauses narrowly in favor of the recipient. The counterparty argues the model training was incidental to evaluating the transaction. You argue it was not. There is no case law to anchor the fight.
The “disclose” problem. Training is internal. No third party sees your data in recognizable form. The classic disclosure theory does not fit cleanly. When the model later emits something derived from your information to another employee of the counterparty, the counterparty argues no third-party disclosure has occurred.
The derivative / weights defense. The counterparty argues that the model weights are a derivative of their model, not of your data. Weights are not training data. The doctrinal question is genuinely open. No court has answered it squarely. Your lawsuit is the test case nobody wants to be. [M: novel theories cost.]
The residuals clause. Microsoft-style residuals, “general knowledge, skills, and experience retained in the unaided memory of personnel who had authorized access,” appear in half the NDAs in circulation. Whether a fine-tuned model counts as the “unaided memory” of the company’s personnel is the kind of argument that consumes two years of summary-judgment briefing and settles for pennies.
Public tool versus private tool. Both are bad.
The exposure comes through two channels and the NDA addresses neither.
Public AI tools. Your counterparty’s employees paste your material into ChatGPT, Claude, Gemini, or whatever consumer-grade assistant is on their browser tab. You have no contract with the AI provider. Whether the provider trains on the input varies by product, by plan, by user settings, and by what “training” means in their definitions. Even if the counterparty has an enterprise account with a no-training clause, there is no practical way to verify that a specific employee did not paste your deck into a personal ChatGPT account on a personal laptop on a Tuesday night. Your NDA does not contemplate this. It probably does not prohibit it.
Private AI tools. Your counterparty runs its own assistant. An enterprise GPT, a Claude-for-Work with connectors, an internal Copilot, a fine-tuned open-weights model, a RAG pipeline over their document management system. Your materials get ingested. The model now knows your roadmap, your pricing, and your customer list. When the counterparty “deletes” your files after diligence closes, the ingestion has already happened. The model retains what it retains.
Both channels are plausibly breaches in spirit. Neither is a clean breach of a 2018-vintage NDA.
If you’re about to send confidential materials into a deal room where the other side will run AI tools across them, your NDA almost certainly doesn’t address it.
Talk to a Talairis attorney →Damages and detection are worse than the liability question
Even if you win the liability argument, damages in a confidentiality case require proof of value and causation. When your information has been absorbed into a model rather than published to the world, the math breaks. What is the harm? How do you quantify it? Injunctive relief against a trained model is practically incoherent. Delete the weights? Retrain from scratch? Neither is going to happen.
And even if all of that were workable, you will not know. Model weights are opaque. Your case begins the day an ex-employee emails you, or it does not begin at all.
What a current-generation NDA needs
If you are signing anything after reading this, make sure it says the following.
- An explicit prohibition on using the confidential information as training data, fine-tuning data, RAG context, evaluation data, or any other input to an AI or machine learning system, whether internal or third-party hosted. Name the categories. Do not rely on the old “use” clause.
- A definition of “AI system” broad enough to cover agents, persistent memory, and architectures that do not yet exist. This language ages fast. Draft for the architectures coming in 2028, not the ones live today.
- A “derivative works” definition that explicitly includes model parameters, weights, embeddings, or system prompts influenced by the information. Otherwise the weights defense walks through the front door.
- The residuals clause eliminated, or narrowed to explicitly exclude anything embedded in a model. If the counterparty will not agree, that is a data point.
- Consider audit rights with teeth, but expect to lose this one. The ideal version gives you access to training logs, acceptable-use enforcement records, and compliance documentation sufficient to verify your material has not been ingested. In practice, no counterparty agrees to it, and even if they did, model audits are nearly impossible to execute meaningfully. Weights are opaque, training libraries are not traceable, and the counterparty controls the scope. Ask for it anyway. The negotiation itself is informative.1
There is no retroactive fix
Information already ingested into a model cannot be unwound. An amendment signed next month does not reach what has already happened. If your last M&A process used a 2018 template, your data room is already somewhere, and you will not get it back. That is a sunk loss. The only question is whether you keep adding to it. [S: today’s signing is tomorrow’s sunk cost.]
Get counsel before the next diligence process
This is not a drafting exercise to do off a template. Every major law firm has updated its NDA template in the last two years, and none of them have updated it enough. The form you used in January is probably already behind.2
Before your next material diligence process, next partnership discussion, or next customer pilot where you are the one showing your cards, have counsel rewrite the NDA for the AI layer. The counterparty’s reaction to the new language will tell you more about their internal AI practices than any due diligence questionnaire ever will.
A closing thought
Every NDA in circulation assumed a human on the other side.
There is not just a human on the other side anymore. Now AI is there too.
Your NDA doesn’t cover AI. Your next one should.
---
Postscript: the view from the other side of the table
While this piece was being drafted, the following LinkedIn post crossed my feed. The author describes himself as having founded, grown, and sold three companies. He is now buying two more. His words, not mine:
“I’m buying two companies right now. My lawyers sent me both APAs to review before sending to sellers. 130 pages of legal text. A few hours later, I sent back more comments than they expected. All I used was Claude.”
“I set up a dedicated project for each deal. Everything lives in one place: the APA, the Letter of Intent, the Quality of Earnings report, bank statements, customer contracts, vendor agreements, diligence notes.”
“Custom instructions take two minutes and completely change what comes back: 'I’m the buyer. Flag anything that affects purchase price, indemnification exposure, or post-closing liability. Compare all terms against the LOI. Prioritize risk.'”
“I added a legal skill. Claude has a legal plugin with contract review built in. It reviews clause by clause, flags deviations from standard terms as green, yellow, or red, and generates specific redline suggestions.”
He posted this as a productivity brag. Read it from the seller’s chair.
Every customer contract the seller produced in diligence is now indexed next to the APA. Every vendor agreement. Every bank statement. Every diligence note. All of it sitting inside a persistent project, read by a model tuned by the buyer to attack the seller’s position and drive down purchase price.
Nothing in a standard mutual NDA covers this. The buyer argues, correctly, under a 2018 template, that he is “evaluating the proposed transaction” and not disclosing anything to a third party. He is using Claude the way his lawyers use Westlaw. The NDA does not draw the line, because the NDA did not know the line existed.
What the screenshot shows is not a rogue buyer. It is the modal buyer in 2026, posting publicly, proud of the workflow.
Now imagine the deal dies.
Week eight. You walk. Or they walk. Doesn’t matter. Their lawyer sends the standard “we will delete everything” letter. The data room link goes dead. The APA goes back in the drawer.
The ingestion doesn’t.
Project memory. RAG indexes. Vector embeddings. Conversation history. Fine-tuning runs the buyer’s team kicked off quietly on an internal instance. Whatever private assistant, enterprise Copilot, or agent workflow the diligence folder got plugged into during week three. None of it gets the deletion letter.
The model, whichever one, however many, still has your customer contracts, your vendor agreements, your bank statements, your diligence notes, your QoE. The custom instructions are still tuned to your vulnerabilities. The chat history is a map of where the risk sits in your business.
Six months later the buyer closes on someone else in your category. Or starts something new. Or hands the project file to a portfolio company. Or hires an operator out of your customer base.
And here is the sharper problem: the buyer may not know they are using your data. They ask the model for a pricing framework. The model emits one shaped by what it absorbed in week three. They ask for the competitor landscape. The model answers with your positioning, sanded down two degrees. They ask for the three biggest post-closing risks in a target like yours. The model is still running on the instructions you watched them write. No one on the buyer’s side is consciously breaching anything. The ingestion is doing its work silently, on the buyer’s behalf, for free.
How do you know?
You don’t.
You cannot subpoena a chat history you do not know exists. You cannot prove ingestion from a project you cannot see. You cannot force a forensic review of a buyer’s Claude account on a hunch. Your NDA, the 2018 template, does not give you discovery rights into a system that did not exist when it was drafted.
If something resurfaces (a pitch deck that reads like yours, a pricing model that sharpens against yours, a competitor who seems to know exactly where your churn sits) you have suspicion. Not evidence.
The model does not emit attribution. The buyer does not volunteer logs. The doctrine that would let you compel production of a conversational AI project as a confidentiality-breach discovery item has not been written yet.
Your NDA ended when the deal ended.
The data didn’t.
- The “we will delete everything” letter that arrives when a deal dies is 2010-vintage protocol. It assumes the buyer can identify and remove every place the data went. It assumes the data is in places that can be deleted. Neither assumption holds in 2026. The letter still arrives. The data still doesn’t go anywhere. ↩
- A modern NDA needs language for AI ingestion, derivative weights, retrieval indexes, and tenancy terms that did not exist when the form template was written. ↩
